audit-2.0.2 released

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - If audisp-remote plugin has a queue at exit, use non-zero exit code - Fix autrace to use the exit filter - In audisp-remote, add a sigchld handler - In auditd, check for duplicate remote connections before accepting - Remove trailing ':' if any are at the end of acct fields in ausearch - Update remote logging code to do better sanity check of data - Fix audisp-prelude to prefer files if multiple path records are encountered - Add libaudit.conf man page This is a security and bug fix release. This release is mostly focused on networking issues. The audisp-remote now bases its exit code on whether it had records that could not be transferred to the aggregator. Audisp-remote was also leaving zombie processes when one of the _action config optins was set to exec. Auditd was also not checking for duplicate connections from the same machine before accepting. There were a couple networking packet length check problems reported by Sebastian Krahmer of Suse. The most serious issue was in the gssapi code. After checking with other distributions, none had enabled this code. So, likely this is not a problem for most people. If you roll your own package and enable gssapi support, it is recommended for you to upgrade. The main issue was that the packet length from the network packet itself was not sanitized before trusting. Its believed that this will eventually lead to a problem in the kerberos libraries. A few other places in the code were found to be trusting the packet length. Analysis found that nothing bad happens in these other places. They would all eventually lead to a read of 0 length and auditd will disconnect without logging the malicious event. It should be pointed out that if you use remote logging, you want to specify the tcp_client_ports to be < 1024 to make sure only processes with CAP_NET_BIND_SERVICE can send audit events. Other bugs fixed include fixing autrace to place audit rules on the exit filter, trim ':' from acct records in AUDIT_LOGIN events so that it can be interpreted correctly, and the audisp-prelude plugin was chosing the first audit record when multiple path records are in the same event. In many cases this would be a directory, but we now look for the record who's mode field indicates that the object is a file. Please let me know if you run across any problems with this release. -Steve